Claude Code governance: are your LLM controls keeping up?

TL;DR: Claude Code sessions can become unmonitored pipelines between developers, proprietary code, and Anthropic’s API unless organisations add centralized LLM governance, according to Kong. That makes cost, auditability, data leakage, and shadow AI the real programme risks, not the model itself.

NHIMG editorial — based on content published by Kong: Governing Claude Code: How To Secure Agent Harness Rollouts with Kong AI Gateway

By the numbers:

• 85% of developers are either already using or are planning to use AI coding tools.

Questions worth separating out

Q: How should teams govern AI coding agents that can call external tools?

A: Treat the agent as a governed execution path, not a chat interface.

Q: Why do AI coding agents create more risk than standard developer assistants?

A: Because they can move from suggestion to action.

Q: What signals show that Claude Code or similar tools are operating outside governance boundaries?

A: Look for inconsistent model routing, missing prompt logs, unexplained token spend, tool access that differs by team, and sessions that bypass the central gateway.

Practitioner guidance

• Route agentic coding traffic through a central AI gateway Require Claude Code sessions to traverse a policy enforcement point that handles authentication, logging, content filtering, and model routing before any request leaves the environment.
• Separate developer identity from model authentication Do not let individual developers manage direct upstream credentials for model access.
• Log prompts, responses, and tool calls as change evidence Capture request content, response metadata, model selection, and any tool invocation so compliance teams can reconstruct what the agent saw and did during a session.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step Claude Code routing configuration through Kong AI Gateway for CLI and IDE usage
• Plugin-level setup for token quotas, prompt logging, and response metadata capture across sessions
• Specific examples of content filtering and PII redaction rules applied before model submission
• MCP governance patterns for controlling external tool access as agent scope expands

👉 Read Kong's analysis of governing Claude Code with an AI gateway →

Claude Code governance: are your LLM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →